CCCHH/ansible-infra
CCCHH/ansible-infra
3
0
Fork 0
Code Issues 5 Pull requests Wiki Activity

Make use of become in role

Browse source
This commit is contained in:
julian 2023-04-25 17:13:10 +02:00
parent 6e9d07b6f6
commit f9c51842fd
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
playbooks/roles/cert/tasks/deploy_cert.yml
View file

@ -5,6 +5,7 @@
owner: root owner: root
group: root group: root
mode: "755" mode: "755"
become: true
- name: Ensure sub-directory for the certificate exists - name: Ensure sub-directory for the certificate exists
ansible.builtin.file: ansible.builtin.file:
@ -13,6 +14,7 @@
owner: "{{ cert__owner }}" owner: "{{ cert__owner }}"
group: "{{ cert__group }}" group: "{{ cert__group }}"
mode: "755" mode: "755"
become: true
- name: Ensure private key is generated - name: Ensure private key is generated
community.crypto.openssl_privatekey: community.crypto.openssl_privatekey:
@ -22,6 +24,7 @@
owner: "{{ cert__owner }}" owner: "{{ cert__owner }}"
group: "{{ cert__group }}" group: "{{ cert__group }}"
mode: "0600" mode: "0600"
become: true
- name: Ensure certificate signing request is created - name: Ensure certificate signing request is created
community.crypto.openssl_csr: community.crypto.openssl_csr:
@ -31,6 +34,7 @@
owner: "{{ cert__owner }}" owner: "{{ cert__owner }}"
group: "{{ cert__group }}" group: "{{ cert__group }}"
mode: "0660" mode: "0660"
become: true
register: cert__csr_result register: cert__csr_result
- name: Check certificate status and create ACME challenge if needed - name: Check certificate status and create ACME challenge if needed
@ -45,6 +49,7 @@
csr: "/etc/ansible_certs/{{ item }}/csr.pem" csr: "/etc/ansible_certs/{{ item }}/csr.pem"
dest: "/etc/ansible_certs/{{ item }}/cert.pem" dest: "/etc/ansible_certs/{{ item }}/cert.pem"
fullchain_dest: "/etc/ansible_certs/{{ item }}/fullchain.pem" fullchain_dest: "/etc/ansible_certs/{{ item }}/fullchain.pem"
become: true
register: cert__acme_challenge register: cert__acme_challenge
- name: Retrieve certificate and fulfill challenge if needed # noqa no-handler - name: Retrieve certificate and fulfill challenge if needed # noqa no-handler
@ -74,6 +79,7 @@
dest: "/etc/ansible_certs/{{ item }}/cert.pem" dest: "/etc/ansible_certs/{{ item }}/cert.pem"
fullchain_dest: "/etc/ansible_certs/{{ item }}/fullchain.pem" fullchain_dest: "/etc/ansible_certs/{{ item }}/fullchain.pem"
data: "{{ cert__acme_challenge }}" data: "{{ cert__acme_challenge }}"
become: true
notify: "{{ cert__handlers }}" notify: "{{ cert__handlers }}"
always: always:
- name: Ensure DNS record is removed - name: Ensure DNS record is removed
@ -93,6 +99,7 @@
owner: "{{ cert__owner }}" owner: "{{ cert__owner }}"
group: "{{ cert__group }}" group: "{{ cert__group }}"
mode: "0660" mode: "0660"
become: true
- name: Ensure correct permissions for fullchain cert are set - name: Ensure correct permissions for fullchain cert are set
ansible.builtin.file: ansible.builtin.file:
@ -100,15 +107,18 @@
owner: "{{ cert__owner }}" owner: "{{ cert__owner }}"
group: "{{ cert__group }}" group: "{{ cert__group }}"
mode: "0660" mode: "0660"
become: true
- name: Get content of cert.pem - name: Get content of cert.pem
ansible.builtin.slurp: ansible.builtin.slurp:
src: "/etc/ansible_certs/{{ item }}/cert.pem" src: "/etc/ansible_certs/{{ item }}/cert.pem"
become: true
register: cert__cert_slurp register: cert__cert_slurp
- name: Get content of fullchain.pem - name: Get content of fullchain.pem
ansible.builtin.slurp: ansible.builtin.slurp:
src: "/etc/ansible_certs/{{ item }}/fullchain.pem" src: "/etc/ansible_certs/{{ item }}/fullchain.pem"
become: true
register: cert__fullchain_slurp register: cert__fullchain_slurp
- name: Ensure ca.pem is created - name: Ensure ca.pem is created
@ -118,3 +128,4 @@
owner: "{{ cert__owner }}" owner: "{{ cert__owner }}"
group: "{{ cert__group }}" group: "{{ cert__group }}"
mode: "0660" mode: "0660"
become: true